1 files changed, 34 insertions, 5 deletions

diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 979e28b11..4279e6982 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -149,9 +149,38 @@ def verify_eapol(config):
     recurring validation of EAPoL configuration.
     """
     if 'eapol' in config:
-        if not {'cert_file', 'key_file'} <= set(config['eapol']):
-            raise ConfigError('Both cert and key-file must be specified '\
-                              'when using EAPoL!')
+        if 'certificate' not in config['eapol']:
+            raise ConfigError('Certificate must be specified when using EAPoL!')
+
+        if 'certificate' not in config['pki']:
+            raise ConfigError('Invalid certificate specified for EAPoL')
+
+        cert_name = config['eapol']['certificate']
+
+        if cert_name not in config['pki']['certificate']:
+            raise ConfigError('Invalid certificate specified for EAPoL')
+
+        cert = config['pki']['certificate'][cert_name]
+
+        if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']:
+            raise ConfigError('Invalid certificate/private key specified for EAPoL')
+
+        if 'password_protected' in cert['private']:
+            raise ConfigError('Encrypted private key cannot be used for EAPoL')
+
+        if 'ca_certificate' in config['eapol']:
+            if 'ca' not in config['pki']:
+                raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+            ca_cert_name = config['eapol']['ca_certificate']
+
+            if ca_cert_name not in config['pki']['ca']:
+                raise ConfigError('Invalid CA certificate specified for EAPoL')
+
+            ca_cert = config['pki']['ca'][cert_name]
+
+            if 'certificate' not in ca_cert:
+                raise ConfigError('Invalid CA certificate specified for EAPoL')
 
 def verify_mirror(config):
     """
@@ -315,7 +344,7 @@ def verify_accel_ppp_base_service(config):
     # vertify auth settings
     if dict_search('authentication.mode', config) == 'local':
         if not dict_search('authentication.local_users', config):
-            raise ConfigError('PPPoE local auth mode requires local users to be configured!')
+            raise ConfigError('Authentication mode local requires local users to be configured!')
 
         for user in dict_search('authentication.local_users.username', config):
             user_config = config['authentication']['local_users']['username'][user]
@@ -339,7 +368,7 @@ def verify_accel_ppp_base_service(config):
                 raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
 
     if 'gateway_address' not in config:
-        raise ConfigError('PPPoE server requires gateway-address to be configured!')
+        raise ConfigError('Server requires gateway-address to be configured!')
 
     if 'name_server_ipv4' in config:
         if len(config['name_server_ipv4']) > 2: